From: George Matovu (gmatovu@resourcenetworks.com)
Date: Fri Oct 25 2002 - 14:46:28 GMT-3
I believe your best bet may be to use a sniffer on the private side of your
network. You need to monitor the inside interface of the PIX firewall by
using the SPAN feature on the switch. You may configure a capture filter on
the sniffer by host or network ip address to limit the captured traffic to
only that associated with the site of interest.
Capturing on the inside network as opposed to the outside ensures that you
will identify the hostname or the local IP address
of the offender. With an IP address you have the option of referring to the
DHCP server, if need be, to find out who had the lease...
Thanks,
George
-----Original Message-----
From: Sam Munzani [mailto:sam@munzani.com]
Sent: Friday, October 25, 2002 10:45 AM
To: LoizosCisco; Brian Dennis; ccielab@groupstudy.com
Cc: cciesecurity@yahoogroups.com
Subject: Re: PIX Question
Sounds good but the volume will be a killer. Imagine supprting 20000+ users
and logging all denied traffic.
I got packet sniffing ideas from somebody but that would be way too much
traffic to capture. PIX outside interface is serving 70Mbps traffic right
now. I don't think Sniffer can scale well in this environment either.
I think we will end up relying on Web Sense for all denied HTTP URLs and PIX
syslog for all Denied traffic.
Thanks,
Sam
> Sam,
>
> What about using a "DENY any any log" at the end?
> Then check the log to see who is denied? BUT do not
> deny everybody...you still allow those already set to
> be allowed.
>
> Loizos
>
> --- Sam Munzani <sam@zealtron.com> wrote:
> > Brian,
> >
> > Your first suggestion can be an option for ongoing
> > investigation but not the second. Whever is using
> > our network to hack somebody else, will not come
> > forward and say, I can't access that web site.
> >
> > I am getting different ideas from everybody. After
> > compiling all different ideas, we may come up with
> > some kind of solution(May not be the best one but
> > better than nothing).
> >
> > Thanks,
> > Sam
> >
> > > If you have a router behind the PIX you can put an
> > access-list in that
> > > will log when someone goes to that particular
> > website.
> > >
> > > access-list 100 permit tcp any host 198.133.219.25
> > eq 80 log
> > > access-list 100 permit ip any any
> > >
> > > int fa0/0
> > > description Interface to PIX
> > > ip access-group 100 out
> > >
> > > Another option would be to just don't allow anyone
> > to get to that
> > > website and see who complains. Let them come to
> > you ;-)
> > >
> > > Brian Dennis, CCIE #2210 (R&S/ISP Dial)
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > > Sam Munzani
> > > Sent: Wednesday, October 23, 2002 12:43 PM
> > > To: ccielab@groupstudy.com
> > > Cc: cciesecurity@yahoogroups.com
> > > Subject: PIX Question
> > >
> > > Group,
> > >
> > > I have PIX setup with PAT. Hiding 15000+ stations
> > behind a few IP. We
> > > are
> > > getting complains from some web sites that
> > somebody from our network
> > > tried to
> > > hack their server. Since it's PAT, all they can
> > give us was Date/Time
> > > when our
> > > IP tried to hack their server.
> > >
> > > Sysloging Informational messages to a syslog
> > server could give me enough
> > > data
> > > to trace this hacker in my internal network.
> > However for 25000+
> > > connections
> > > it's a big overhead on PIX and syslog server.
> > >
> > > Does anybody have a better idea to trace it? Any
> > ideas would be greately
> > > appreciated.
> > >
> > > Thanks,
> > > Sam
>
>
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:56 GMT-3